Are We Honestly Trying To Fill The InfoSec Jobs Gap? Or Is Our Ego Stopping Us?

Are we honestly trying to fill the infosec jobs gap_ Or... .jpg

This episode of The Academy
is made possible by the generosity of our sponsor:

By Sean Martin

Welcome to a new episode of the The Academy on ITSPmagazine.

Today I am joined by two long-time cyber professionals doing great things to help fill the cyber talent pool with candidates from all walks of life: Julian Waits from Devo and ICMCP, and Ed Moyle from The Prelude Institute. Given that I have two people on the show who are focused on overcoming the cyber talent shortage challenges, in today’s chat, we are going to explore this topic.

If you’ve listened to some of our podcasts and webcasts here on ITSPmagazine, you’ve likely heard me say that we are going through the cybersecurity hiring process with blinders on — meaning that we often search for candidates who look or sound a certain way, come from a certain professional background, have a specific certification, or are able to perform a specific set of technical tasks.

Having had many conversations with a number of folks looking squarely at the cybersecurity talent gap, I wholeheartedly believe that we are still wearing blinders. Sure, we may have opened the blinders up a bit to let a little light in on gender and race, but I think we’re still missing the main point.

This is one of many points that Julian makes in the form of a question that really sums things up:

“Are we hiring people to complete projects or to complete the mission?”
— Julian Waits

It turns out that if we are training students and looking for new security analysts who have a CS degree or a cybersecurity certification and can code, we are likely leaving a ton of potential talent on the table. This problem lands both in the younger generation coming into the business world AND for adults who are looking to transition from one career to another — veterans being the most widely used example, but there are many, many more (we touch on some of them during our chat).

It’s important to note that the blinders problem I refer to isn’t limited to the hiring organizations and their hiring teams as I eluded to earlier — it’s that the potential pool of talent is also wearing blinders. Pause to think about it for a second and you’ll realize that we have created a persona for the cybersecurity professional that is mysterious and, in some ways, both feared and worshipped … but, more importantly, we’ve put this role on a pedestal, essentially suggesting that only the smartest of the smartest people can join the ranks of InfoSec. Nothing could be further from the truth.

Yes, we need cybersecurity professionals who can crunch numbers, analyze data and code. But we also need people who are creative, can problem solve, and know how to define and run programs (not software programs, operational programs). Once we remove the math- and engineering-based blinders, we’ll see more potential candidates. Yes, these candidates will need training, but if there’s a real need, we’ll find a way to provide the training.

As an example, there’s a tremendous need for nurses — and the medical industry has found a way to attract more people: through specialized programs, trade schools, and even commercials on television designed to let people know these jobs — and the training required — exists.

Beyond this initial connection, as we continued talking, we realized that the nursing role has many parallels to the InfoSec role … and the three of us talk through some of the scenarios to uncover how we might learn — and leverage what is already working — from other industries and roles, such as that of nursing.

InfoSec isn’t the first industry faced with a shortage in the workforce, so we shouldn’t try to solve the problem as if we were.

I thoroughly enjoyed this conversation with Ed and Julian and am glad we found the time during RSAC to make it happen.

About Julian Waits
GM, Cyber Security Business Unit, Devo


Julian has 30+ years in senior leadership roles at technology companies, specializing in security, risk and threat detection. He serves on several industry Boards, including ICMCP and NICE, promoting development of the next generation of cyber security professionals.

Find Julian on LinkedIn and Twitter


About Ed Moyle
General Manager and Chief Content Officer, Prelude Institute


Ed Moyle is currently General Manager & Chief Content Officer at Prelude Institute. Prior to joining Prelude, Ed was Director of Thought Leadership and Research for ISACA and a founding partner of the analyst firm Security Curve. In his 20+ years in information security, Ed has held numerous positions including: Senior Security Strategist for Savvis (now CenturyLink), Senior Manager with CTG's global security practice, Vice President and Information Security Officer for Merrill Lynch Investment Managers, and Senior Security Analyst with Trintech. Ed is co-author of "Cryptographic Libraries for Developers" and a frequent contributor to the Information Security industry as author, public speaker, and analyst.

Find Ed on LinkedIn